aws-amplify · osama-rizk · Nov 10, 2025 · Oct 28, 2025 · Oct 28, 2025 · Oct 29, 2025
@@ -0,0 +1,9 @@
+---
+'@aws-amplify/auth-construct': minor
+'@aws-amplify/client-config': minor
+'@aws-amplify/backend-auth': minor
+'@aws-amplify/backend': minor
+'@aws-amplify/seed': minor
+---
+
+feat(auth): Added support for email-MFA in Amplify Auth construct
@@ -144,13 +144,22 @@ export type MFA = {
     mode: 'OPTIONAL' | 'REQUIRED';
 } & MFASettings);
 
+// @public
+export type MFAEmailSettings = boolean;
+
 // @public
 export type MFASettings = {
+    totp?: MFATotpSettings;
+    sms?: MFASmsSettings;
+    email: MFAEmailSettings;
+} | {
     totp?: MFATotpSettings;
     sms: MFASmsSettings;
+    email?: MFAEmailSettings;
 } | {
     totp: MFATotpSettings;
     sms?: MFASmsSettings;
+    email?: MFAEmailSettings;
 };
 
 // @public

@@ -47,6 +47,36 @@ new AmplifyAuth(stack, 'Auth', {
 });
 ```
 
+### Email login with email MFA
+
+In this example, you will create a stack with email login and email MFA enabled. Note that email MFA requires an email sender configuration.
+
+```ts
+import { App, Stack } from 'aws-cdk-lib';
+import { AmplifyAuth } from '@aws-amplify/auth-construct';
+
+const app = new App();
+const stack = new Stack(app, 'AuthStack');
+
+new AmplifyAuth(stack, 'Auth', {
+  loginWith: {
+    email: true,
+  },
+  multifactor: {
+    mode: 'OPTIONAL',
+    email: true,
+    sms: false,
+    totp: false,
+  },
+  senders: {
+    email: {
+      fromEmail: '[email protected]',
+      fromName: 'My App',
+    },
+  },
+});
+```
+
 ### Customized email and phone login with external login providers
 
 In this example, you will create a stack with email, phone, and external login providers. Additionally, you can customize the email and phone verification messages.

@@ -1169,6 +1169,62 @@ void describe('Auth construct', () => {
       assert.equal(outputs['mfaConfiguration']['Value'], 'ON');
     });
 
+    void it('enables email MFA when email is set to true', () => {
+      new AmplifyAuth(stack, 'test', {
+        loginWith: { email: true },
+        multifactor: { mode: 'OPTIONAL', email: true },
+        senders: {
+          email: {
+            fromEmail: '[email protected]',
+            fromName: 'Example.com',
+          },
+        },
+      });
+
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        EnabledMfas: ['EMAIL_OTP'],
+      });
+      const outputs = template.findOutputs('*');
+      assert.equal(outputs['mfaTypes']['Value'], '["EMAIL"]');
+      assert.equal(outputs['mfaConfiguration']['Value'], 'OPTIONAL');
+    });
+
+    void it('enables multiple MFA types including email', () => {
+      new AmplifyAuth(stack, 'test', {
+        loginWith: { email: true },
+        multifactor: { mode: 'REQUIRED', sms: true, totp: true, email: true },
+        senders: {
+          email: {
+            fromEmail: '[email protected]',
+            fromName: 'Example.com',
+          },
+        },
+      });
+
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        EnabledMfas: ['SMS_MFA', 'SOFTWARE_TOKEN_MFA', 'EMAIL_OTP'],
+      });
+      const outputs = template.findOutputs('*');
+      assert.equal(outputs['mfaTypes']['Value'], '["SMS","TOTP","EMAIL"]');
+      assert.equal(outputs['mfaConfiguration']['Value'], 'ON');
+    });
+
+    void it('does not enable email MFA when email is set to false', () => {
+      new AmplifyAuth(stack, 'test', {
+        loginWith: { email: true },
+        multifactor: { mode: 'OPTIONAL', sms: true, email: false },
+      });
+
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        EnabledMfas: ['SMS_MFA'],
+      });
+      const outputs = template.findOutputs('*');
+      assert.equal(outputs['mfaTypes']['Value'], '["SMS"]');
+    });
+
     void it('updates socialProviders and oauth outputs when external providers are present', () => {
       new AmplifyAuth(stack, 'test', {
         loginWith: {

@@ -231,6 +231,7 @@ export class AmplifyAuth
     if (!(cfnUserPool instanceof CfnUserPool)) {
       throw Error('Could not find CfnUserPool resource in stack.');
     }
+
     const cfnUserPoolClient = userPoolClient.node.findChild(
       'Resource',
     ) as CfnUserPoolClient;
@@ -810,7 +811,7 @@ export class AmplifyAuth
    * Convert user friendly Mfa type to cognito Mfa type.
    * This eliminates the need for users to import cognito.Mfa.
    * @param mfa - MFA settings
-   * @returns cognito MFA type (sms or totp)
+   * @returns cognito MFA type (sms, totp, or email)
    */
   private getMFAType = (
     mfa: AuthProps['multifactor'],
@@ -819,6 +820,7 @@ export class AmplifyAuth
       ? {
           sms: mfa.sms ? true : false,
           otp: mfa.totp ? true : false,
+          email: mfa.email ? true : false,
         }
       : undefined;
   };
@@ -1222,14 +1224,18 @@ export class AmplifyAuth
     // extract the MFA types from the UserPool resource
     output.mfaTypes = Lazy.string({
       produce: () => {
+        const enabledMfas = cfnUserPool.enabledMfas ?? [];
         const mfaTypes: string[] = [];
-        (cfnUserPool.enabledMfas ?? []).forEach((type) => {
+        enabledMfas.forEach((type) => {
           if (type === 'SMS_MFA') {
             mfaTypes.push('SMS');
           }
           if (type === 'SOFTWARE_TOKEN_MFA') {
             mfaTypes.push('TOTP');
           }
+          if (type === 'EMAIL_OTP') {
+            mfaTypes.push('EMAIL');
+          }
         });
         return JSON.stringify(mfaTypes);
       },

@@ -13,6 +13,7 @@ export {
   VerificationEmailWithLink,
   MFA,
   MFASmsSettings,
+  MFAEmailSettings,
   MFATotpSettings,
   MFASettings,
   PhoneNumberLogin,

@@ -120,20 +120,30 @@ export type MFASmsSettings =
        */
       smsMessage: (createCode: () => string) => string;
     };
+/**
+ * If true, the MFA token is sent to the user via email.
+ */
+export type MFAEmailSettings = boolean;
 /**
  * If true, the MFA token is a time-based one time password that is generated by a hardware or software token
  * @see - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html
  */
 export type MFATotpSettings = boolean;
 /**
- * Configure the MFA types that users can use. At least one of totp or sms is required.
+ * Configure the MFA types that users can use. At least one of totp, sms, or email is required.
  */
 export type MFASettings =
+  | {
+      totp?: MFATotpSettings;
+      sms?: MFASmsSettings;
+      email: MFAEmailSettings;
+    }
   | {
       totp?: MFATotpSettings;
       sms: MFASmsSettings;
+      email?: MFAEmailSettings;
     }
-  | { totp: MFATotpSettings; sms?: MFASmsSettings };
+  | { totp: MFATotpSettings; sms?: MFASmsSettings; email?: MFAEmailSettings };
 
 /**
  * MFA configuration. MFA settings are required if the mode is either "OPTIONAL" or "REQUIRED"

@@ -430,6 +430,10 @@ export class ReferenceAuthInitializer {
     if (userPoolMFA.SoftwareTokenMfaConfiguration?.Enabled) {
       mfaTypes.push('TOTP');
     }
+
+    if (userPoolMFA.EmailMfaConfiguration) {
+      mfaTypes.push('EMAIL_MFA');
+    }
     // social providers
     const socialProviders: string[] = [];
     if (userPoolProviders) {

@@ -27,7 +27,6 @@ type AmazonCognitoStandardAttributes_5 = 'address' | 'birthdate' | 'email' | 'fa
 
 // @public
 interface AmazonLocationServiceConfig {
-    name?: string;
     style?: string;
 }
 
@@ -222,6 +221,7 @@ export type AuthClientConfig = {
 
 // @public
 interface AWSAmplifyBackendOutputs {
+    $schema?: string;
     analytics?: {
         amazon_pinpoint?: {
             aws_region: string;
@@ -253,7 +253,7 @@ interface AWSAmplifyBackendOutputs {
         user_verification_types?: ('email' | 'phone_number')[];
         unauthenticated_identities_enabled?: boolean;
         mfa_configuration?: 'NONE' | 'OPTIONAL' | 'REQUIRED';
-        mfa_methods?: ('SMS' | 'TOTP')[];
+        mfa_methods?: ('SMS' | 'TOTP' | 'EMAIL')[];
         groups?: {
             [k: string]: AmplifyUserGroupConfig;
         }[];

@@ -90,6 +90,10 @@ export type AmplifyStorageAccessActions =
  * Config format for Amplify Gen 2 client libraries to communicate with backend services.
  */
 export interface AWSAmplifyBackendOutputs {
+  /**
+   * JSON schema
+   */
+  $schema?: string;
   /**
    * Version of this schema
    */
@@ -185,7 +189,7 @@ export interface AWSAmplifyBackendOutputs {
     user_verification_types?: ('email' | 'phone_number')[];
     unauthenticated_identities_enabled?: boolean;
     mfa_configuration?: 'NONE' | 'OPTIONAL' | 'REQUIRED';
-    mfa_methods?: ('SMS' | 'TOTP')[];
+    mfa_methods?: ('SMS' | 'TOTP' | 'EMAIL')[];
     groups?: {
       [k: string]: AmplifyUserGroupConfig;
     }[];
@@ -291,10 +295,6 @@ export interface AmplifyUserGroupConfig {
  * via the `definition` "amazon_location_service_config".
  */
 export interface AmazonLocationServiceConfig {
-  /**
-   * Map resource name
-   */
-  name?: string;
   /**
    * Map style
    */

@@ -187,7 +187,7 @@
         "mfa_methods": {
           "type": "array",
           "items": {
-            "enum": ["SMS", "TOTP"]
+            "enum": ["SMS", "TOTP", "EMAIL"]
           }
         },
         "groups": {

@@ -3,7 +3,7 @@ import { AmplifyUserError } from '@aws-amplify/platform-core';
 
 export type AuthConfiguration = {
   userPoolId: string;
-  mfaMethods?: ('SMS' | 'TOTP')[];
+  mfaMethods?: ('SMS' | 'TOTP' | 'EMAIL')[];
   mfaConfig?: 'NONE' | 'REQUIRED' | 'OPTIONAL';
   groups?: string[];
 };